Fizzgun Bubbles¶

For every sample request received as input, Fizzgun will generate zero or more mutations. The rules on how to mutate a request are handled by entities called Bubbles.

Fizzgun comes with a built-in set of bubbles that will be described below. If you want to create your own set of bubbles read the create your own bubbles section.

All of the built-in bubbles support the following configuration settings (You can update the global default values for all the bubbles, and/or overwrite the settings for each individual bubble):

expected_status_range (default '0-499'): Logs a report entry if the response status obtained after submitting a mutant is not in the given range. By default any 5XX response will be reported as bug. The value can be set to a set of ranges or individual codes, e.g. '100-399, 403, 404,503'.
mark_requests (default false): When set to true Fizzgun will add a x-fizzgun-id header with a unique id to each mutant request generated. This can be useful to correlate the requests that triggered bugs in the report with your application logs (e.g. to get stack-traces or anything that will help fixing the bug).

Refer to the bubbles configuration section of the configuration page to learn how these settings are passed.

Bubble: Trimmer¶

Generate mutants by removing properties from JSON payloads, query strings, or x-www-fomr-urlencoded bodies.

E.g. For a JSON request containing this payload:

{"foo": "bar", "baz": [123, "abc"]}

It will generate mutants such as:

{"baz": [123, "abc"]}

{"foo": "bar"}

{"foo": "bar", "baz": ["abc"]}

{"foo": "bar", "baz": [123]}

aplies to: Requests containing query strings, application/json or x-www-form-urlencoded bodies.

additional configuration settings:

json_params (default true): When true, mutants will be generated from requests containing JSON bodies.
url_encoded_params (default true): When true mutants will be generated from requests containing query strings and/or x-www-form-urlencoded bodies

Bubble: Enlarger¶

Identifies arguments of all types in a request and creates mutants by modifying one argument at at time replacing its value for a larger value of the same type.

E.g. For a JSON request containing this payload:

{"foo": "bar", "baz": [123, "abc"]}

It will generate mutants such as:

{"foo": "barbarbarbarbarbar...bar", "baz": [123, "abc"]}

{"foo": "bar", "baz": [8037323323966378297779931..., "abc"]}

{"foo": "bar", "baz": [123, "abcabcabcabc...abc"]}

{"foo": "bar", "baz": [123, "abc", 123, "abc", 123, "abc", ...]}

aplies to: Requests containing query strings, application/json or x-www-form-urlencoded bodies.

additional configuration settings:

json_params (default true): When true, it will generate mutants from requests containing JSON bodies.
url_encoded_params (default true): When true, it will generate mutants from requests containing query strings and/or x-www-form-urlencoded bodies.
grow_factor (default 1000): The number used as factor to each mutated value. E.g. a string value foo will be replaced with foofoofoofoo.....foo (1000 times), the integer 10 will turn into 10 pow 1000.
grow_keys (default false): When true, mutants are also generated by growing json object keys, query string argument names, and x-www-form-urlencoded argument names.

Bubble: TypeChanger¶

Takes each JSON property at a time and generates a mutant replacing its value with one of a different type.

E.g. For a JSON request containing this payload:

{"foo": "bar", "baz": [123, "abc"]}

It will generate mutants such as:

{"foo": 123, "baz": [123, "abc"]}

{"foo": "bar", "baz": true}

{"foo": "bar", "baz": [null, "abc"]}

{"foo": "bar", "baz": [123, {}]}

[]

aplies to: Requests with application/json bodies.

Bubble: Injector¶

Attempts to naively unveil injection related bugs by appending special sequences to string arguments.

aplies to: Requests containing query strings, application/json or x-www-form-urlencoded bodies.

additional configuration settings:

json_params (default true): If true will generate mutants from requests containing JSON bodies.
url_encoded_params (default true): If true will generate mutants from requests containing query strings and/or x-www-form-urlencoded bodies

Bubble: Shellshock¶

Attempts to exploit the Shellshock bash vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278) by injecting a specially crafted header

aplies to: Request containing the string cgi anywhere in the request path.

additional expectations: Besides reporting any 5XX response, a successful exploitation will result in the response containing a special string, if so, the finding is reported regarless the response status code.